Hide Forgot
Description of problem: A non-admin user reported that when the edit activation key and add a subscription, the subscription they added cannot be seem in "List/Remove" tab. In fact, they can't see any subscriptions in there. Version-Release number of selected component (if applicable): tfm-rubygem-katello-3.0.0.81-1.el7sat.noarch How reproducible: always Steps to Reproduce: 1. assuming the satellite already has a org and a few locations, sub manifest is imported 2. create a role 'test' with the following permissions: - all permissions under organization - all permissions under content views - all permissions under LC environments - all permissions under activation keys 3. create a user 'jdoe', attach only the 'test' role 4. login as jdoe 5. create an activation key 6. add a few subscriptions to the activation key 7. go back to the 'List/Remove' tab 8. verify if any added subscriptions can be seen there Actual results: The tab says 'You currently don't have any Subscriptions associated with this Activation Key, you can add Subscriptions after selecting the 'Add' tab.' Expected results: A list of added subscriptions Additional info:
The issue is caused by one missing permission. The scoped_search returned an #<ActiveRecord::Relation []>, which is why the subscription list is empty. The empty object comes from Pool.readable, which is defined in authorization/pool.rb. (/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.81/app/controllers/katello/api/v2/subscriptions_controller.rb) -- snip -- api :GET, "/organizations/:organization_id/subscriptions", N_("List organization subscriptions") api :GET, "/activation_keys/:activation_key_id/subscriptions", N_("List an activation key's subscriptions") api :GET, "/subscriptions" param_group :search, Api::V2::ApiController param :organization_id, :number, :desc => N_("Organization ID"), :required => true param :host_id, String, :desc => N_("id of a host"), :required => false param :activation_key_id, String, :desc => N_("Activation key ID"), :required => false param :available_for, String, :desc => N_("Object to show subscriptions available for, either 'host' or 'activation_key'"), :required => false param :match_host, :bool, :desc => N_("Ignore subscriptions that are unavailable to the specified host") param :match_installed, :bool, :desc => N_("Return subscriptions that match installed products of the specified host") param :no_overlap, :bool, :desc => N_("Return subscriptions which do not overlap with a currently-attached subscription") def index *collection = scoped_search( index_relation.uniq, :cp_id, :asc, resource_class: Pool, includes: [:subscription])* if params[:activation_key_id] key_pools = @activation_key.get_key_pools collection[:results] = collection[:results].map do |pool| ActivationKeySubscriptionsPresenter.new(pool, key_pools) end end respond(:collection => collection) end def index_relation return for_host if params[:host_id] return available_for_activation_key if params[:available_for] == "activation_key" *collection = Pool.readable* collection = collection.where(:unmapped_guest => false) collection = collection.get_for_organization(Organization.find(params[:organization_id])) if params[:organization_id] collection = collection.for_activation_key(@activation_key) if params[:activation_key_id] collection end -- snip -- Apparently, only the user with the permission :view_subscription (NOT :view_subcriptions) from resource type 'Katello::Subscription' is allowed to read pools. (/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.81/app/models/katello/authorization/pool.rb) -- snip -- module ClassMethods def readable where(:subscription_id => Katello::Subscription.authorized(:view_subscription)) end end -- snip -- Problem is there is no such permissions in permissions table. foreman=# select * from permissions where name like '%view_subscription%'; id | name | resource_type | created_at | updated_at -----+--------------------+-----------------------+----------------------------+---------------------------- 172 | view_subscriptions | Organization | 2015-08-28 09:34:19.93697 | 2015-08-28 09:34:19.93697 (1 rows) (note: view_subscriptions != view_subscription) User is able to see the subscriptions when the missing permission is added. foreman=# insert into permissions (name,resource_type,created_at,updated_at) values ('view_subscription','Katello::Subscription',current_timestamp,current_timestamp); INSERT 0 1 foreman=# select * from permissions where name like '%view_subscription%'; id | name | resource_type | created_at | updated_at -----+--------------------+-----------------------+----------------------------+---------------------------- 172 | view_subscriptions | Organization | 2015-08-28 09:34:19.93697 | 2015-08-28 09:34:19.93697 270 | view_subscription | Katello::Subscription | 2016-11-03 03:53:40.421009 | 2016-11-03 03:53:40.421009 (2 rows)
This bugzilla is a duplicate of bug 1333219 and has a fix upstream. I am going to close this bugzilla, but will bump up the priority of the other in hopes that it can get incorporated in to an upcoming 6.2.z. *** This bug has been marked as a duplicate of bug 1333219 ***